Sunday, May 24, 2015

Locker is a file-encrypting ransom virus (ransomware) that encrypts your files using RSA-2048 encryption algorithm so they are not accessible and repairable without the unique encryption key. I've seen a few different versions of this ransomware so far: Locker v5.52, Locker v3.30, Locker v4.55, Locker v4.81 and Locker v2.60. Basically, it's the same ransomware only with different version numbers. I bet there are even more versions out there but I'm not quite sure why cyber criminals decided to do this. Anyway, no matter which version you have installed on your computer, it's the same ransomware. It does encrypt your files, it's not a joke. If you don't have backups you might be in trouble. This vicious malware is most definitely something that you would be well advised to finding out more about so that you are better able to protect yourself from an attack. It is also extremely useful to know why you shouldn't give in to ransomware's demands and what to do if you have been infected.

Locker virus payment page:

It demands to pay 0.1 BTC and gives information on how to buy Bitcoins. There's also a payment address which is unique for every victim.

What does Locker ransomware do?

You have probably already guessed that the clue to unlocking the way ransomware works is in its name. Locker has been created to kidnap your files or data, freeze them and make them inaccessible or unusable. After doing this the program will send you an updated version of the old fashioned ransom note, demanding that you pay 0.1 BTC (about $25) for your files to be released or unlocked. Once you've paid (which, by the way, you shouldn't – more of that in a minute) you will be sent a code that allows you to unlock your encrypted files. But when we say 'you will be sent' don't take that at face value as many cyber criminals using Locker ransomware will not bother to send you anything, simply taking your money and disappearing, never to be heard of again. And don't think you'll be able to negotiate with them either – these types of people don't tend to have a customer care helpline.

And that's not all...

So that they can ensure you will be more likely to pay, victims of Locker will turn the fear factor up to eleven. You're already wondering if you're ever going to see your files and the data they contain again, but to pile even more stress upon you, many of these so called ransom notes will either tell you that they have been sent by a law enforcement agency, such as the FBI or CIA, or tell you that the unlock code will become invalid and your files destroyed if you don't pay by a certain date. In this case, cyber criminals give you 3 days to pay the ransom. The Locker ransom program says:

All your personal files on this computer are locked and encrypted by Locker [ver]. The encrypting has been done by professional software and your files such as: photos, videos, and cryptocurrency wallets are not damaged but just not readable for now. You can find the complete list with all your encrypted files in the files tab.The encrypted files can only be unlocked by a unique 2048-bit RSA private key that is safely stored on our server till [date]. If the key is not obtained before that moment it will be destroyed and you will not be able to open your files ever again.Obtaining your private unique key is easy and can be done clicking on the payment tab and pay a small amount of 0.1 BTC to the wallet address that was created for you. If the payment is confirmed the decryption key will be sent to your computer and the Locker software will automatically start the decrypting process. We have absolutely not interest in keeping your files encrypted forever. You can still safely use your computer, no new files will be encrypted and no malware will be installed. When the files are encrypted Locker [ver] will automatically uninstall itself.

It's very similar to BitCryptor ransomware. It shows time remaining, lists all the encrypted files and gives you a personal Bitcoint wallet address.

What do I do? Pay the fine and make the problem go away?

It's not a good idea but if you really really care about the files, pay the ransom, although no guarantee that you'll get the files back. Besides, by paying you'll be perpetuating cyber crime. Instead, follow the removal guide below on how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom. Even though, there's no guarantee that these tools will help you, there's also no reason not to try them out. Who knows, maybe you will be the lucky one. Good luck and be safe online!

IMPORTANT! Before running anti-malware software and trying to restore your files COPY the encrypted files, your Bitcoin wallet address (see under Payment tab) and %PROGRAMDATA%\rkcl, %PROGRAMDATA%\tor, %PROGRAMDATA%\steg or %PROGRAMDATA%\Digger folder (with files) to external hard drive, CD/DVD or a USB flash key. You should have these in case you decide to pay the ransom or someone creates a decryption tool.

The ransomware is also known to disable certain system features like system restore, delete shadow copies, and prevent the uninstalling of software. This makes it incredibly difficult to remove it or roll back to solve the issue.

Step 1: Removing Locker and related malware:

Before restoring your files from shadow copies, make sure Locker virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

IMPORTANT! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. Also, try to disable bclock.exe using Process Explorer.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Locker virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

19
comments:

Anonymous
said...

what should i do if i deleted the program without copying it and the key? i tried to recover the virus with a few programs, but it didn't work. i lost some really important files... do i need to get the virus again?

Holy hell, I woke up today to find this puppy nesting on my desktop. I'm just glad I only lost 1 important word document out of all the encrypted files, could've been worse. Honestly, a fresh Windows install is looking like the best option! On a side note though, watch out for any 3vasion jailbreaking software, I think that's where I picked it up.

@Fuldark Poulsen, this is probably exploit kit spread when visiting an infected website or opening a malicious PDF file or some other document online is enough to infect your computer. You don't need to install or download anything.

I woke up to this on my computer this morning. Thankfully, I have all my files backed up. I am going to do a full reinstall as this is the second attack I've had lately. (The last one was a browser hijacker. It is unrelated to this.)

I've actually been away from my pc for 1.5 days, with no problems while leaving. Just to come back, wiggle my mouse to exit my screensaver, and see this locker virus on my screen. So I haven't even opened anything or clicked on something. There wasn't any activity on the pc apart from it being turned on and logged in.

I have this problem...but I don't want to pay nothing...NOTHING....I only can wait to pass the time(72 hours) and after this all become normally ?? Repeat,I don't want to pay anything/nothing...Please reply fast... :(

There's no other way that i can recover my files?? i haven't done a backup in like forever....And i was working on a really important project... Lost all of it.... I really need those files back. There's some way i can decrypt them myself?

@Agnel Nieves, there is no way to recover files. I even hired a company to do it and they're still working on try to get my files back. They said its probably not likely. They saved them, just in case there is a way in the future. How long ago did you do a backup?

Hey guys... This s**t appeared on ma laptop yesterday. I saw it would crypt just photos and League of Legends, what it's not that important for me. But I still want to keep that files on my PC :P... I want some answers today, please :1. Are the softs that were showed us up safe and good?2. Is there any chance to save my photos, copying them on an USB stick or on an extern hard disk?3.How Admin said "this is probably exploit kit spread when visiting an infected website or opening a malicious PDF file or some other document online is enough to infect your computer", i visited 990.ro to take a film and the page showed me that the page that i visited it's not safe, and after 2 days this s**t appeared. Could be cause of that?P.S. TY very much guys and sry for ma english, i'm from Romania. :))) Hope to answer me

2. If your files are already encrypted then it won't change a thing. Of course, you can copy them to a USB stick and wait for a decryption tool to be made. But in general, creating backups is a good idea.

3. Yes, especially when you say that you got a warning about it. Definitely could have been a source of infection.

Awesome. Thank you so very much. Using the bruteforce option i was able to retrieve the bitcoin address and decrypt all my files. Though i wouldn't have paid the ransom it was impossible for me to do so. I can't purchase bitcoins and have never done so in my life. Struggling in life at the moment after divorce and everything i really can't afford much atm. I really cannot thank you enough for the locker unlocker decryption tool. Thank you so very much. It's very much appreciated. THANK YOU :)

Blog Archive

Blogroll

Rate This Blog or Leave a Review

About Me

Hi there, and welcome to my humble web presence. I'm Michael Kaur. Malware squasher, geek, and blogger based in Los Angeles, CA. If you'd like to contact me, the easiest way is through email given below or Google+. Simply add me to your Google Plus circles.

DisclaimerThis is a self-help guide. Use at your own risk. Deletemalware.blogspot.com can not be held responsible for problems that may occur by using this information.

About the blogThis blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers, Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused by malware.